Greetings netfilter,
I have a question about the location of a "counter" statement.
I see from the wiki [0] that placing a counter for the default policy
comes *after* the policy:
table ip counter_demo {
chain IN {
type filter hook input priority filter; policy drop;
protocol tcp counter
}
}
That feels a little counterintuitive to place a counter after the
packet "appears" to have been dropped.
Thus, do I place other counter statements *after* their corresponding
netfilter stanzas:
table inet filter {
chain input {
# accept traffic originated from us
ct state vmap {
established: accept,
related: accept,
invalid: drop,
}
counter
}
}
Or do I place the counter before:
table inet filter {
chain input {
counter
# accept traffic originated from us
ct state vmap {
established: accept,
related: accept,
invalid: drop,
}
}
}
Or does it not matter?
Thanks for helping me understand.
Cheers,
-m
[0] https://wiki.nftables.org/wiki-nftables/index.php/Counters
